AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible for Post-Quantum Cryptography: Migrate TLS, SSH & PKI (2026 Guide)

By Luca Berton · Published 2024-01-01 · Category: troubleshooting

Complete guide to automating post-quantum cryptography migration with Ansible. Update SSH algorithms, configure PQC-ready TLS, migrate PKI certificates, audit.

NIST finalized three post-quantum cryptography (PQC) standards in 2024: ML-KEM (key encapsulation), ML-DSA (digital signatures), and SLH-DSA (stateless hash-based signatures). Migration pressure is increasing as organizations must transition before quantum computers break current RSA and ECC cryptography. Ansible automates the cryptographic inventory, configuration updates, and certificate migration across thousands of servers.

Why Automate PQC Migration?

ChallengeScaleAnsible Solution
Audit SSH key algorithmsEvery serverPlaybook scans all hosts
Update TLS cipher suitesEvery web server, load balancerTemplate-driven config updates
Rotate certificatesThousands of certsAutomated cert generation + deployment
Verify complianceContinuousScheduled audit playbooks
Rollback if issuesInstantCheck mode + staged rollout

Cryptographic Inventory Audit

Scan SSH Algorithms

- name: Audit SSH cryptographic algorithms
  hosts: all
  become: true
  tasks:
    - name: Get current SSH host key algorithms
      ansible.builtin.command: ssh -Q key
      register: ssh_key_algos
      changed_when: false

    - name: Get current SSH ciphers
      ansible.builtin.command: ssh -Q cipher
      register: ssh_ciphers
      changed_when: false

    - name: Check for weak SSH host keys
      ansible.builtin.find:
        paths: /etc/ssh
        patterns:
          - "ssh_host_dsa_key*"
          - "ssh_host_rsa_key*"    # RSA < 3072 bits vulnerable
      register: weak_keys

    - name: Collect current sshd_config algorithms
      ansible.builtin.shell: |
        grep -E "^(KexAlgorithms|Ciphers|MACs|HostKeyAlgorithms|PubkeyAcceptedKeyTypes)" /etc/ssh/sshd_config || echo "DEFAULTS"
      register: sshd_crypto
      changed_when: false

    - name: Generate crypto audit report
      ansible.builtin.copy:
        content: |
          Host: {{ inventory_hostname }}
          Date: {{ ansible_date_time.iso8601 }}
          SSH Key Algorithms: {{ ssh_key_algos.stdout_lines | join(', ') }}
          Weak Keys Found: {{ weak_keys.files | map(attribute='path') | list }}
          Current Config: {{ sshd_crypto.stdout }}
        dest: "/tmp/crypto-audit-{{ inventory_hostname }}.txt"
      delegate_to: localhost

Scan TLS Certificates

- name: Audit TLS certificates for PQC readiness
  hosts: web_servers
  tasks:
    - name: Check certificate algorithm
      ansible.builtin.command: >
        openssl x509 -in {{ item }} -noout -text
        -certopt no_subject,no_issuer,no_version,no_serial,no_validity,no_extensions
      loop:
        - /etc/ssl/certs/server.crt
        - /etc/nginx/ssl/cert.pem
      register: cert_info
      changed_when: false
      failed_when: false

    - name: Flag RSA certificates needing migration
      ansible.builtin.debug:
        msg: "⚠️ {{ item.item }} uses {{ 'RSA' if 'rsaEncryption' in item.stdout else 'ECDSA' }} — needs PQC migration plan"
      loop: "{{ cert_info.results }}"
      when: item.rc == 0 and ('rsaEncryption' in item.stdout or 'ecdsa' in item.stdout)

See also: Ansible for Data Sovereignty & Geopatriation: Manage Sovereign Cloud Infrastructure (2026 Guide)

Harden SSH for Post-Quantum Era

Configure SSH with Strong Algorithms

- name: Harden SSH configuration for PQC transition
  hosts: all
  become: true
  vars:
    ssh_kex_algorithms:
      - sntrup761x25519-sha512@openssh.com   # Hybrid PQC KEX (available in OpenSSH 9.0+)
      - curve25519-sha256
      - curve25519-sha256@libssh.org
      - diffie-hellman-group18-sha512
      - diffie-hellman-group16-sha512
    ssh_host_key_algorithms:
      - ssh-ed25519
      - ssh-ed25519-cert-v01@openssh.com
      - rsa-sha2-512
      - rsa-sha2-256
    ssh_ciphers:
      - chacha20-poly1305@openssh.com
      - aes256-gcm@openssh.com
      - aes128-gcm@openssh.com
    ssh_macs:
      - hmac-sha2-512-etm@openssh.com
      - hmac-sha2-256-etm@openssh.com

  tasks:
    - name: Check OpenSSH version for PQC support
      ansible.builtin.command: ssh -V
      register: ssh_version
      changed_when: false

    - name: Configure sshd for PQC-ready algorithms
      ansible.builtin.template:
        src: sshd_config_pqc.j2
        dest: /etc/ssh/sshd_config.d/99-pqc-hardening.conf
        owner: root
        group: root
        mode: '0600'
        validate: "sshd -t -f %s"
      notify: restart sshd

    - name: Remove weak SSH host keys
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      loop:
        - /etc/ssh/ssh_host_dsa_key
        - /etc/ssh/ssh_host_dsa_key.pub
      notify: restart sshd

    - name: Generate Ed25519 host key if missing
      ansible.builtin.command: ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
      args:
        creates: /etc/ssh/ssh_host_ed25519_key
      notify: restart sshd

sshd_config Template

# PQC-Hardened SSH Configuration
# Managed by Ansible — do not edit manually

# Key Exchange — sntrup761 is hybrid PQC (lattice + X25519)
KexAlgorithms {{ ssh_kex_algorithms | join(',') }}

# Host Key Algorithms
HostKeyAlgorithms {{ ssh_host_key_algorithms | join(',') }}

# Ciphers
Ciphers {{ ssh_ciphers | join(',') }}

# MACs
MACs {{ ssh_macs | join(',') }}

# Disable weak key types
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Modern key exchange parameters
RekeyLimit 1G 1h

Configure PQC-Ready TLS

Nginx with Hybrid PQC Cipher Suites

- name: Configure Nginx for PQC-ready TLS
  hosts: web_servers
  become: true
  vars:
    tls_protocols: "TLSv1.3"
    # X25519Kyber768 is hybrid PQC available in Chrome/Firefox/BoringSSL
    tls_curves: "X25519Kyber768Draft00:X25519:P-256:P-384"

  tasks:
    - name: Check OpenSSL version for PQC support
      ansible.builtin.command: openssl version
      register: openssl_version
      changed_when: false

    - name: Deploy PQC-ready Nginx TLS config
      ansible.builtin.template:
        src: nginx-tls-pqc.conf.j2
        dest: /etc/nginx/conf.d/tls-pqc.conf
        mode: '0644'
      notify: reload nginx

    - name: Test Nginx configuration
      ansible.builtin.command: nginx -t
      changed_when: false

Nginx TLS Template

# PQC-Ready TLS Configuration
# Managed by Ansible

ssl_protocols {{ tls_protocols }};
ssl_prefer_server_ciphers off;

# Enable hybrid PQC key exchange
ssl_ecdh_curve {{ tls_curves }};

# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;

ssl_session_timeout 1d;
ssl_session_cache shared:PQC_SSL:50m;
ssl_session_tickets off;

See also: Ansible for AI Security: Protect Models, APIs & Data Pipelines (2026 Guide)

Compliance Reporting

- name: Generate PQC readiness compliance report
  hosts: all
  tasks:
    - name: Gather cryptographic facts
      ansible.builtin.set_fact:
        crypto_report:
          hostname: "{{ inventory_hostname }}"
          ssh_pqc_kex: "{{ 'sntrup761' in (ssh_kex_available | default('')) }}"
          openssl_version: "{{ openssl_ver | default('unknown') }}"
          tls_1_3_enabled: "{{ tls13_status | default(false) }}"
          weak_rsa_keys: "{{ weak_key_count | default(0) }}"

    - name: Write compliance report
      ansible.builtin.template:
        src: pqc-compliance-report.html.j2
        dest: "/var/reports/pqc-readiness-{{ ansible_date_time.date }}.html"
      delegate_to: localhost
      run_once: true

Migration Roadmap

PhaseTimelineAnsible Actions
AuditMonth 1Inventory all SSH keys, TLS certs, crypto algorithms
HardenMonth 2-3Remove DSA, enforce Ed25519, enable sntrup761 KEX
Hybrid TLSMonth 3-6Deploy X25519Kyber768 hybrid cipher suites
Certificate RotationMonth 6-12Migrate to PQC-ready CA, issue hybrid certificates
Full PQC2027+Pure PQC algorithms once widely supported

FAQ

What is post-quantum cryptography and why should I prepare now?

Post-quantum cryptography uses algorithms resistant to quantum computer attacks. NIST finalized standards (ML-KEM, ML-DSA, SLH-DSA) in 2024. "Harvest now, decrypt later" attacks mean encrypted data captured today could be decrypted by future quantum computers, making migration urgent.

Can Ansible automate PQC migration?

Yes. Ansible audits cryptographic configurations across your infrastructure, updates SSH algorithms, configures TLS cipher suites, rotates certificates, and generates compliance reports — all at scale across thousands of servers.

What is sntrup761x25519 in SSH?

It's a hybrid key exchange combining a post-quantum algorithm (NTRU Prime/sntrup761) with classical X25519. Available in OpenSSH 9.0+, it provides quantum resistance while maintaining classical security as a fallback.

How do I enable PQC in TLS?

Modern browsers support hybrid PQC via X25519Kyber768. Configure your web server (Nginx, Apache) to include this in ssl_ecdh_curve with TLS 1.3. Requires OpenSSL 3.2+ or BoringSSL.

See also: Ansible for Preemptive Cybersecurity: Proactive Defense Automation (2026 Guide)

Conclusion

Post-quantum cryptography migration is not optional — it's a matter of when, not if. Ansible provides the automation framework to audit, harden, and migrate cryptographic configurations at scale, turning a multi-year manual effort into repeatable, version-controlled playbooks.

Category: troubleshooting

Browse all Ansible tutorials · AnsiblePilot Home